Tuesday, October 25, 2011

Why penetration testing information should be destroyed?

Penetration testing is a sensitive testing mechanism against organizational assets. Penetration testing focuses on the current infrastructure of an organization network and its weaknesses. This test is able of identified most sensitive information security weaknesses of organizations’ network infrastructure. This sensitive information is very critical to organizations and protecting this from unwanted hands is utmost priority. When a penetration testing assignment is underway, it is important to reveal most of the business critical operations, information, critical assets, resource persons, etc to penetration testing team. On the other hand, during their penetration testing process, penetration-testing team can learn many hidden vulnerabilities, security weaknesses, and business process weaknesses and many more. These hidden weaknesses can create catastrophe event to organization without any notification, if goes to intruders or malicious users hands. Although the criticality of this information is very high, organization cannot do penetration testing with their internal teams. This is due to lack of experience, exposure, qualifications, equipments, knowledge of internal teams or lack of personal resource availability within the organization. Hence, organizations have to go for external resources by taking a slight risk. However, many of these risks can be covered via appropriate legal bindings, and selecting reputed, qualified, and professional team of penetration testers. Organizations must draft appropriate legal terms and bindings and get third parties abide by them to protect the organization that they may face in case of breach of confidentiality. In the normal practice and depending on the sensitivity of the information client organizations and third party penetration testing team can agree to destroy the information gathered during the penetration testing process. Furthermore, it should be noted, that client organization must specifically mention the information that they wanted the service provider (penetration testing team) to destroy and the period of time that the penetration testing team can retain confidential data before destroying. On the other hand, it should be clearly define the process to destroy, and confirmation of destroy, etc.

In case, if the external penetration testing team does not destroy the information, it is an unprofessional behavior of that origination or the team, and they might face legal charges or imprisonment depending on the case. Penetration testing team can be victims of, negligence of duties, breach of confidence, reputational damages, and legal actions. Since, the criticality of the information it is advised to destroy the collected information. For instance, if an attacker infiltrate penetration testing team member’s laptop where critical data is stored, attacker can extract very valuable first hand information from without much difficulty. This information can be used against the client organization to blackmail, threaten, attack, steal more information, and selling extracted information to third parties (hackers, competitors), etc.

It is imperative to select very reputed and professional team of penetration testers for your penetration testing projects. Below given are few ways to gauge the penetration testing vendor.

· Check whether the penetration testing is their core competencies. Some organizations provide this as a value added service and not master in the area.

· Check for the real world implementation and experience, rather than paper qualifications of testing team

· Evaluate vendors trustworthiness and competence

· Consider the cost versus frequency of penetration testing needed to conduct

· Find real penetration tester who are expert in the field and have practical experience in real environment, this is difficult to find but it will be worth the test

· Ask for references from vendor and verify their status

· Perform a thorough background check to identify the real nature of the vendor

1 comment:

Nightlionsecurity said...

Nice post.! Thanks for Sharing.

Penetration Testing